Improve inactive user management with functional api activity

[guerricv]

Summary

This change updates inactive user management so browser extension and API users are not incorrectly treated as inactive when they perform real TeamPass actions without logging into the PHP web interface.

The implementation does not require a database schema migration. It reuses users.last_connexion as the canonical "last functional activity" timestamp for inactivity handling.

Problem

Inactive user management previously relied on users.last_connexion, which is updated by web login flows but not by API or browser extension usage.

As a result, users who actively used TeamPass through the browser extension or API could still receive inactive-account warning emails, and later be disabled or deleted by the automated grace-period action.

At the same time, a simple API authentication, JWT validation, token refresh, or extension settings refresh should not be enough to keep an account active. Those are technical session events, not necessarily user-visible activity.

Changes

• Added a shared functional-activity helper in app/sources/main.functions.php.
• Marked functional API activity when API-originated item logs are produced for:
  • item read/show
  • item creation
  • item modification
  • item deletion
  • item import
• Added explicit activity marking for successful API URL searches that return accessible items.
• Added explicit activity marking for successful API OTP retrieval.
• Deliberately left technical API/session endpoints out of inactivity refresh:
  • /authorize
  • /authorizeToken
  • JWT validation in api/index.php
  • logout/session lifecycle
  • extension settings refresh
  • folder list/writable folder refresh
• Updated the inactive-user worker to compute activity from both:
  • users.last_connexion
  • existing API item logs marked with tp_src=api
• Backfilled users.last_connexion during the worker run when a newer functional API activity is found in logs.
• Reset pending inactive-user warning/action state when functional API activity happened after the warning.
• Updated inactive-user listing and "no activity" counts to consider functional API item logs.
• Updated English/French labels and documentation to describe "activity" instead of only "login".
• Added static regression tests covering the API activity rules and inactive-user wiring.

No Database Migration

No new table, column, index, or upgrade script is required.

The change intentionally reuses the existing users.last_connexion field as the inactivity baseline. Its practical meaning becomes "last functional user activity" for inactive-user management.

Activity Semantics

Counts as activity:

• web login, as before
• item read/show through API or extension
• item search by URL through API or extension when accessible results are returned
• OTP retrieval through API
• item create/update/delete/import through API

Does not count as activity on its own:

• API authentication
• Personal Access Token authentication
• JWT validation
• token/session refresh
• logout
• extension settings refresh
• folder list refresh
• writable folders refresh

Performance Notes

API activity updates are throttled in the shared helper to avoid rewriting users.last_connexion on every repeated request.

The inactive-user worker performs one grouped lookup against log_items for the users it is already checking. It does not perform one log query per user.

Security Notes

This change does not expose new API data, token data, session identifiers, key material, or item content.

It only updates inactivity metadata for the authenticated user after successful functional actions.

Validation

• Added tests/Unit/InactiveUsersApiActivityTest.php static regression coverage.
• Reviewed the API auth flow to ensure authentication and token validation do not refresh inactivity state.
• Reviewed item read/search/OTP/mutation flows to ensure only user-visible actions refresh inactivity state.
• Reviewed inactive-user worker ordering so functional activity after a warning resets tracking before any due action is applied.